With the coming of a New Year, we know these things to be certain: death, taxes, and… security breaches. No doubt, some of you are making personal resolutions to improve your physical and financial health. But what about your organisation’s web and mobile application security? Any set of New Year’s resolutions is incomplete without plans for protecting some of the most important customer touch points you have — web and mobile apps.

Every year, data breaches grow in scope and impact. Security professionals have largely accepted the inevitability of a breach and are shifting their defense-in-depth strategy by including a goal to reduce their time-to-detect and time-to-respond to an attack. Despite these efforts, we haven’t seen the end of headline-grabbing data breaches like recent ones affecting brands such as Marriott, Air Canada, British Airways and Ticketmaster.

App-level threats

The apps that control or drive these new innovations have become today’s endpoint

The truth of the matter is that the complexity of an organisation’s IT environment is dynamic and growing. As new technologies and products go from production into the real world, there will invariably be some areas that are less protected than others. The apps that control or drive these new innovations have become today’s endpoint — they are the first customer touch point for many organisations.

Bad actors have realised that apps contain a treasure trove of information, and because they are often left unprotected, offer attackers easier access to data directly from the app or via attacks directed at back office systems. That’s why it’s imperative that security organisations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise.

Thanks to research by RiskIQ and Volexity, we know that the Magecart attacks target the web app client-side
It’s imperative that security organisations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise

In-progress attack detection

Unfortunately, the capability to detect in-progress attacks at the app level is an area that IT and security teams have yet to address. This became painfully obvious in light of the recent Magecart attacks leveraged against British Airways and Ticketmaster, among others. Thanks to research by RiskIQ and Volexity, we know that the Magecart attacks target the web app client-side.

During a Magecart attack, the transaction processes are otherwise undisturbed

Attackers gained write access to app code, either by compromising or using stolen credentials, and then inserted a digital card skimmer into the web app. When customers visited the infected web sites and completed a payment form, the digital card skimmer was activated where it intercepted payment card data and transmitted it to the attacker(s).

Data exfiltration detection

During a Magecart attack, the transaction processes are otherwise undisturbed. The target companies receive payment, and customers receive the services or goods they purchased. As a result, no one is wise to a breach — until some 380,000 customers are impacted, as in the case of the attack against British Airways.

The target companies’ web application firewalls and data loss prevention systems didn’t detect the data exfiltration because those controls don’t monitor or protect front-end code. Instead, they watch traffic going to and from servers. In the case of the Magecart attacks, the organisation was compromised and data was stolen before it even got to the network or servers.

Deter attackers from analysing or reverse engineering application code through obfuscation
Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications

Best practice resolutions

The Magecart attacks highlight the need to apply the same vigilance and best practices to web and mobile application source code that organisations apply to their networks—which brings us to this year’s New Year’s resolutions for protecting your app source code in 2019:

Alert

The key to success is quickly understanding when and how an app is being attacked

First, organisations must obtain real-time visibility into their application threat landscape given they are operating in a zero-trust environment. Similar to how your organisation monitors the network and the systems connected to it, you must be able to monitor your apps. This will allow you to see what users are doing with your code so that you can customise protection to counter attacks your app faces. Throughout the app’s lifecycle, you can respond to malicious behavior early, quarantine suspicious accounts, and make continuous code modifications to stay a step ahead of new attacks.

Protect

Next, informed by threat analytics, adapt your application source code protection. Deter attackers from analysing or reverse engineering application code through obfuscation. Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications.

If an attacker tries to understand app operation though the use of a debugger or in the unlikely event an attacker manages to get past obfuscation, threat analytics will alert you to the malicious activity while your app begins to self-repair attacked source code or disable portions of the affected web app. The key to success is quickly understanding when and how an app is being attacked and taking rapid action to limit the risk of data theft and exfiltration.

Effective encryption requires a sophisticated implementation of White-Box Cryptography
Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organisation’s health and well-being in 2019

Encrypt

Finally, access to local digital content and data, as well as communications with back office systems, should be protected by encryption as a second line of defense, after implementing app protection to guard against piracy and theft. However, the single point of failure remains the instance at which the decryption key is used.

Effective encryption requires a sophisticated implementation of White-Box Cryptography

This point is easily identifiable through signature patterns and cryptographic routines. Once found, an attacker can easily navigate to where the keys are constructed in memory and exploit them. Effective encryption requires a sophisticated implementation of White-Box Cryptography.

One that combines a mathematical algorithm with data and code obfuscation techniques transforming cryptographic keys and related operations into indecipherable text strings. Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organisation’s health and well-being in 2019.

Protecting applications against data breach

According to the most recent Cost of a Data Breach Study by the Ponemon Institute, a single breach costs an average of $3.86 million, not to mention the disruption to productivity across the organisation. In 2019, we can count on seeing more breaches and ever-escalating costs. It seems that setting—and fulfilling—New Year’s resolutions to protect your applications has the potential to impact more than just your risk of a data breach. It can protect your company’s financial and corporate health as well. So, what are you waiting for?

Download PDF version

Author profile

  • Related companies
  • Arxan
  • View all news from
  • Arxan

In case you missed it

Artificial intelligence: why you should enable deep learning and video analytics
Artificial intelligence: why you should enable deep learning and video analytics

Constantly optimising deep learning algorithms yields better video analytics performance, even in complex applications such as facial recognition or in scenarios with variable lighting, angles, postures, expressions, accessories, resolution, etc. Deep learning, a form of artificial intelligence (AI), holds the potential to enable video analytics to deliver on long-promised, but not often delivered performance. Our AI series continues here with part 2. Adapting existing hardware Today, low-cost system-on-chip (SoC) camera components enable deep neural network (DNN) processing for the next generation of intelligent cameras, thus expanding the availability of AI processing to a broader market. AI software can even add learning capabilities by adapting existing hardware to AI applications AI software can even add learning capabilities by adapting existing hardware to AI applications. Today’s smartphones include cameras, gyroscopes and accelerometers to provide sufficient data to drive AI applications. Software can adapt existing hardware to transform them into AI devices capable of continuous learning in the field. Inside a video camera, real-time deep learning processing can be used to detect discarded objects, issue loitering alarms and detect people or objects entering a pre-defined field. Data capture form to appear here! Detect anomalous data Additional capabilities are applicable to demanding environments and mission-critical applications, such as the perimeter protection of airports, critical infrastructures and government buildings, border patrol, ship-tracking and traffic-monitoring (e.g. wrong-way detection, traffic-counts and monitoring roadsides for parked cars: all vital video security solutions). IoT is transforming the lowly security camera from a device that simply captures images, into an intelligent sensor that plays an integral role in gathering the kind of vital business data that can be used to improve commercial operations in areas beyond security. For example, cities are transitioning into smart cities. Deep learning enables systems to search surveillance footage, to detect anomalous data, and to shift surveillance from post-incident response to providing alerts during, or even before, an event. The ability of deep learning for video analytics is much more sophisticated and accurate Make critical decisions Deep learning can eliminate previous video analytics limitations such as dependence on a scene’s background. Deep learning is also more adept than humans at discerning subtle changes in an image. The ability of deep learning for video analytics is much more sophisticated – and accurate – than the programmed approaches previously employed to identify targets. AI is a timely solution in an age when there is more video surveillance than ever. There are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyse more video data than humans. Systems are designed to bring the most important events and insight to users’ attention, freeing them to do what they do best: make critical decisions. Multiple camera streams AI can reduce information overload to enable humans to work with the data more efficiently The video benefits reflect the larger goal of AI to amplify human skills. AI can reduce information overload to enable humans to work with the data more efficiently. Another benefit is faster search, and new systems make searching video as easy as searching the internet. AI enables specific people or cameras to be located quickly across all the cameras at a site. Searching can be directed by a reference images or by physical descriptors such as gender or clothing colour. Consider a scenario of a child missing from a crowded shopping mall: Every second can seem like hours, and artificial intelligence and neural networks can enable a rapid search among multiple camera streams using only one photo of the child. The photo does not have to be a full-frontal passport-type photos; it could be a selfie from a party as long as the face is there. Intrusion detection scenario AI can find her and match her face from among hundreds of thousands of faces captured from video, in nearly real time. AI can also continuously analyse video streams from the surveillance cameras in its network, distinguishing human faces from non-human objects such as statues and animals. Privacy concerns are minimal as there is no ID or personal information on the photo, and the image can be erased after use. And there is no database of stored images.    In a perimeter security/intrusion detection scenario, an AI-driven video system can avoid false alarms by easily distinguishing different types of people and objects, e.g., in a region set up to detect people, a car driving by, a cat walking by, or a person’s shadow will not trigger the alarm. Part three coming soon. If you missed part one, see it here.

3 key security tips for public event planners
3 key security tips for public event planners

Public spaces in cities and suburbs are important places for community development and promoting outdoor recreation. These areas may include main streets, parks, promenades, band shells and fields. Such locations are often utilised by public event planners for community activities, including summer festivals, wintertime ice skating rink installations, music concerts and art fairs. As the year draws to a close, holiday and Christmas markets as well as major New Year’s Eve events, present cities with constant public event security needs. The public nature of these events increases risks of incidents with high-speed vehicles that put attendees in danger. Fortunately, there are three ways for public space managers to prevent casualty-causing collisions and further promote the use of local public areas. Developing an effective action plan    When strategising how to react to an alert, think about what time of the year and time of day the event is occurring It is important to have a plan developed before an incident or accident occurs. Warning systems, utilising doppler radar and digital loop technologies, alert guards to abnormal vehicle velocity changes in the surrounding area. Managers of public areas should organise a meeting with public safety authorities and local agencies to discuss what must immediately occur when a high-speed vehicle is approaching a public event. When strategising how to react to an alert, think about what time of the year and time of day the event is occurring. Having such a reaction plan in place combines technology and strategic planning to ensure everyone is on the same page to effectively target a threat and promote overall event safety. Securing public areas  Ideally, there will be no need to implement a well-conceived action plan. After all, taking preventive measures to secure public areas where events take place is important to keep people safe from accidental vehicle collisions and intentional attacks. Protect attendees by clearly separating pedestrian and vehicle locations using security devices such as – Barricades Portable barriers Bollards Install guard booths  Avoid the risk of vandalism and theft, making sure people are safe when walking back to the cars at night by keeping parking areas illuminated with flood lights. Install guard booths with employees who monitor activity in the parking area and who are prepared to react if an alert is triggered. Furthermore, prevent accidental collisions by clearly marking the parking area with informative warning signs and using barricades to direct traffic. These three tips can be used by public area managers to promote security at the next community event. Additionally, the technologies used to secure an event can also be used as infrastructure for year-round security. Installing gates that shut when the public space is closed or using aesthetically pleasing bollards are steps any public area manager can take to promote community safety.

Choosing your security entrance installation in line with your company culture
Choosing your security entrance installation in line with your company culture

The extensive analysis and discussion preceding any decision to implement a new physical security solution – whether it’s hardware, software or a combination of both – often focuses on technology, ROI and effectiveness. When it comes to deciding what type of security entrances to install at your facility, you will almost certainly also consider the aesthetics of the product, along with throughput and, if you’re smart, you’ll also look into service concerns. Each of these factors has its important place within the evaluation process, and none should be overlooked as they all have a significant effect on how well your entrances will perform once they are installed. Culture influences door solution decisions How significant will the change from current entrances to security entrances be for employees? Still, one additional factor actually trumps everything: if you have not considered your organisation’s culture in choosing a security entrance, you may be missing the most important piece of the puzzle. Culture is a part of every other decision factor when selecting an entry solution. Before you make a decision about what type of entrance to deploy, you need to consider and understand the values, environment and personality of your organisation and personnel. For example, how significant will the change from current entrances to security entrances be for employees? If people are accustomed to simply walking through a standard swinging door with no access control, this will be a culture change. Beyond this, whether you are considering a type of turnstile, a security revolving door or possibly a mantrap portal, simply walking through it will be a significant change as well. Training employees on door security You’ll want to know whether employees have ever used security entrances before. If these types of entrances are in place in another part of the facility, or in a facility they’ve worked in at an earlier time, the adjustment will not be as great as if they’ve never used them at all. Consider, too, how your personnel typically react to changes like this in the organisation or at your facility. They may be quite adaptable, in which case there will be less work to do in advance to prepare them. However, the opposite may also be true, which will require you to take meaningful steps in order to achieve buy-in and train employees to properly use the new entrances. With the increased importance of workplace security, discussing new entrances with  workforces will help maintain a safer environment Communicate through the decision-making process All of this will need to be communicated to your staff, of course. There are a number of ways to disseminate information without it appearing to come down as a dictate. Your personnel are a community, so news about changes should be shared rather than simply decreed. As part of this process, you’ll need to give some thought to the level of involvement you want for your staff in the decision-making process. Finally, do not overlook the special needs among your personnel population. You undoubtedly have older individuals on staff, as well as disabled persons and others who bring service animals to the office. Entrances need to be accessible to all, and you never want to be in the position of having a gap in accessibility pointed out to you by the individual who has been adversely affected. New security entrance installation By communicating early and often with your personnel, you can alleviate a great deal of the anxiety Once you have made the decision about which security entrances to install, training your personnel on how to use the new security entrances – both before and after the installation – will help to smooth the transition. Because workplace security is such a big issue right now, it makes sense to discuss the new entrances in the context of helping to maintain a safer environment. They will prevent violent individuals from entering, decrease theft, and most of all, promote greater peace of mind during the workday. If you can help them take control of their own safety in a responsible way, you have achieved much more than just a compliant workforce. By communicating early and often with your personnel, you can alleviate a great deal of the anxiety and concern that surrounds a significant change in the work environment. Schedule group meetings Consider your employees; what type of communications do they respond best to? A few suggestions to educate staff on the benefits of the new entrances include: Typically, you would communicate a general message 2-3 months in advance and then provide more specific information (for example, impacts to fire egress, using certain entrances during construction) in a follow up message closer to the installation date. Schedule group meetings to: announce the rationale for increased security, share statistics on crime, review the new security changes that are coming, show drawings/photos of the new doors/turnstiles, and show the orientation videos available from the manufacturer. These meetings are an excellent way to work through user questions and directly address any concerns. Once the installation of a new security system is complete, it is a good idea to have an "ambassador" on board to help employees use these new systems Ensure you monitor public areas If you are implementing a lot of new changes, such as a new access control system, new guard service and security entrances, you might consider hosting a ‘security fair’ on a given day and have the selected vendors come for a day with tabletop displays to meet employees and answer questions during their lunch. This could be a great way to break the ice in a large organisation. Make user orientation videos (provided by the manufacturer) available in several ways, for example: Intranet Site Monitors in public areas—lounges, cafeteria, hallways, etc. Send to all staff as email attachments Immediately after installation, once the doors or turnstiles are operational but before they are put into service, train ‘ambassadors’ on how to use the door/turnstile. Have these people monitor and assist employees during peak traffic times. What is the ultimate success of the installation? By communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction If you have thousands of employees, consider dividing them into groups and introduce the new entrance to one group at a time (Group A on Monday, Group B on Tuesday, etc.) to allow a little extra orientation time. Place user education ‘quick steps’ posters next to the door/turnstiles for a few weeks to help employees remember the basic steps and guidelines, e.g., ‘stand in front of the turnstile, swipe badge, wait for green light, proceed.’ Ask your manufacturer to provide these or artwork. While there are always going to be people who are resistant to change, by communicating clearly and openly with your population you can greatly facilitate adoption and satisfaction. Your responsiveness to any issues and complaints that arise during and after the implementation is equally fundamental to the ultimate success of the installation.